516/68 Thursday, December 11, 2025
Sophos has published new research on Shanya, an emerging cyber threat offering a novel Packer-as-a-Service (PaaS) model. Similar to how Ransomware-as-a-Service (RaaS) enables inexperienced attackers to deploy ransomware easily, PaaS provides threat actors with an additional weapon: the ability to create obfuscation layers that hide malware from antivirus and defensive tools. Shanya is rapidly gaining popularity in cybercriminal communities worldwide and is beginning to replace older tools such as HeartCrypt, with widespread activity detected in Tunisia and the United Arab Emirates.
A key feature of Shanya is its capability as an “EDR Killer”-a tool designed to disable Endpoint Detection and Response systems. It uses a technique that pairs a legitimate (clean) driver with a malicious driver, tricking the system into trusting the operation. Once granted elevated privileges, Shanya can terminate or delete security processes, effectively clearing the path for ransomware to execute without interference. Sophos has confirmed that notable ransomware groups-including Akira, Medusa, Qilin, and Crytox-are already using Shanya in active attacks. The same technique has also been observed in ClickFix-related campaigns impersonating Booking[.]com to deploy CastleRAT malware.
According to Sophos, PaaS offerings and EDR-disruption tools will continue to pose major threats as long as they remain profitable for attackers. Organizations and users must prepare accordingly. Effective defense requires more than security tools alone; it must be paired with strong cyber hygiene, reliable EDR solutions, regular monitoring for Indicators of Compromise (IOCs), and-most importantly-awareness training to counter social engineering tactics. Frequent patching is essential to close vulnerabilities before they are exploited.
